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(57) ABSTRACT 

A virtual private network enables private communications 
between two or more private networks over a shared MPLS 
network. The virtual private network disclosed, includes 
multiple routers connected to the shared MPLS network and 
configured to dynamically distribute VPN information 
across the shared MPLS network. The VPN information 
distributed by a router includes a VPN identifier assigned to 
that router, which identifies a VPN with which that router is 
associated. The router includes a first table which stores a 
map of the label switched paths from the router in question 
to all other routers connected to the shared MPLS network. 
The router also includes a second table which stores a map 
of label switched paths from the router in question to all 
other routers connected to the shared MPLS network which 
share a common VPN identifier. 

26 Claims, 3 Drawing Sheets 
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INTERNET PROTOCOL VIRTUAL PRIVATE work. The VPN information distributed by a particular one 

NETWORK REALIZATION USING of lne routers includes a VPN identifier assigned to that 

MULTI-PROTOCOL LABEL SWITCHING rouler - The vp N identifier identifies a VPN which the 

TUNNELS particular routers is associated with. One of the routers 

5 includes a first table, stored therein of label switched paths 

HELD OF THE INVENTION from that router to the remainder of routers in communica- 

. tion with the shared MPLS network. That router also 

The invention relates generally to the field of virtual includes a second table, stored therein, of nested label 

private networks and more particularly, to distribution of switche d paths from that router to the remainder of routers 

private network information over shared network infrastruc- in communication with the shared MPLS network which 

ture in the Multi -Protocol Label Switching domain. share a common VPN identifier. 

BACKGROUND OF THE INVENTION * n an embodiment of the invention, the virtual private 

network includes router means in communication with the 

With the growing popularity of the Internet and networks shared MPLS network for routing VPN information across 

in general, there is a trend towards centralized network J5 the shared MPLS network. The VPN information includes a 

services and centralized network service providers. To be VPN identifier assigned to the router means, which identifies 

profitable, however, network service providers need to con- a VPN with which the router means is associated. A first 

stantly maintain and if possible enlarge their customer base ta ble is stored in the router means, and contains a list of all 

and their profits. Since leased line services are coming under label switched paths across the shared MPLS network. A 

increased competition, profit margins have been decreasing 2Q second table is stored in the router means and contains a list 

for these providers. Thus, an increased number of providers 0 f nested label switched paths from a portion of the router 

are trying to attract small and medium sized businesses by means which is configured to communicate with one of the 

providing centralized network management. at least two private networks to another portion of the router 

Network providers are offering Virtual Private Networks means which is configured to communicate with another of 

(VPNs) to interconnect various customer sites that are 25 the at least two private networks. 

geographically dispersed. VPNs are of great interest to both In another embodiment, the invention includes a method 

providers and to their customers because they offer privacy of configuring virtual private networks over a shared MPLS 

and cost efficiency through network infrastructure sharing. network. The method includes configuring the shared MPLS 

There has been difficulty providing this service, however, network including at least two routers in communication 

due to address conflicts, security problems, scalability issues 30 therewith. It further includes determining first information 

and performance problems. about all label switched paths between a first of the at least 

Various VPN models have been proposed with various two routers and all others of the at least two routers, and 

degrees of security, privacy, scalability, ease of deployment storing the first information in the first router. The all others 

and manageability. Some providers have even attempted to of the at least two routers includes a second router. The 

solve these problems using Mu hi- Protocol Label Switching 35 method also includes assigning a common VPN identifier to 

(MPLS) networks. However the MPLS models proposed Ihe first and second routers. It includes determining second 

still suffer from some of the same problems discussed above information about all label switched paths between the 

(i.e. scalability, etc.). second router and all remaining of the at least two routers, 

Accordingly there exists the need for a scalable system and storin & the second information in the second router. The 

which allows the implementation of separate virtual private 40 first router is a member of the remaining routers. It includes 

networks over common infrastructure while providing secu- determining third information about all nested label 

rity and sufficient performance to each network. switched oaths between the first router and all others of the 

The need further exists for such a system which allows for a ' lea * ^o routers which are assigned the common VPN 

communicating private traffic through a shared network. ; deD / lfier ' ^ st0 " n S lhe lhird f°™«™ 10 lhe fi *< router 

T , ,. _ . 45 It also includes determining fourth information about all 

It is accordingly an object of the present inventton to nes|ed , abe , $wilched te be , ween (he xcood rou(er and 

prov.de a scalable system which allows the implementation a „ remaini roulers whjch m assi d , hc common yp N 

of separate vutua private networksover common infrastruc- ideotifief) an(J stofj ^ foUflh ;„ , he 



ture while providing security and sufficient performance to 
each network 



router. 

50 The invention will next be described in connection with 

It is another object of the invention to prov.de such a certajn illustraled embodiments; however, it should be clear 

system which employs MPLS. tQ those skil , ed jn , hc an ma( vafious modificalions> addi . 

It is another object of the invention to provide such a tions and subtractions can be made without departing from 

system which allows for communication of private traffic i ne spirit or scope of the claims, 

through a shared network. « 

* . u- . r.u ■ . u u BRIEF DESCRIPTION OF THE DRAWINGS 
These and other objects of the invention will become 

apparent to those skilled in the art from the following For a fuller understanding of the nature and objects of the 

description thereof. invention, reference should be made to the following 

detailed description and accompanying drawings, in which: 

SUMMARY OF THE INVENTION 6Q nG. 1 depicts a block diagram of a shared MPLS network 

It has now been discovered that these and other objects in accordance with the invention; 

may be accomplished by the present virtual private networks FIG. 2 depicts a block diagram of a the shared MPLS 

which enable private communications over a shared MPLS network depicted in FIG. 1 illustrating a router building up 

network, between at least two private networks. The present an LSP list; 

invention includes multiple routers in communication with 65 FIG. 3 depicts an example of communicating an IP packet 

the shared MPLS network and configured to dynamically in accordance with the invention over the MPLS network 

distribute VPN information across the shared MPLS net- depicted in FIG. 1. 
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DETAILED DESCRIPTION OF THE VPN. ll will nol overlap with the private network IP address 

INVENTION space whether the private network is using its own globally 

The present invention enables the formation of VPNs bv unic l ue address s P ace > or 15 usin 8 P rivate ^dresses, 10.x.x.x 

'etc 

distributing VPN information throughout a shared Multi- 
Protocol Label Switched (MPLS) network. WhiJe only 5 If the IP VPN to be established spans multiple VPN areas 

Label Distribution Protocol (LDP) connections will be the provider must enable VRs in some of the gateway VBRs 

discussed, those skilled in the art will recognize that there 10 tDat straddle the relevant VPN areas. These gateway VRs 

are several ways to accomplish the distribution of the VPN wil1 participate in the following steps in all the VPN areas 

information such as OSPF opaque LSAs, TCP connections, m wnich tne y are configured to operate. 
BGP-4, etc. without departing from the scope of the present 10 Using a VR to exchange routing information with one or 

invention. more enterprise site routers is the most general mechanism 

The present invention exploits the Label Switch Path f° r disseminating private network reachability information. 

(LSP) mesh implicitly established between all edge routers ^ arl of lh e stub link configuration is to specify what routing 

in a MPLS domain. It uses 2 levels of LSP tunneling: the protocol runs over it, between the private network router and 

outer/base level, which is the hop by hop LSP tunneling that lne V ^R 10. 

interconnect all VPN Border/Label Switched Routers The LDP session initiation process is used as the method 

(VBRs/LSRs). VBRs arc also referred to as edge routers); of VRs discovering their peers, since an object of the present 

and, the bottom of label stack/nested level, which provides invention is to establish a second level of MPLS runnels, 
logically single hop tunnels between VBRs. For each IP 2Q Every VR sends an LDP hello message down every base 

VPN, single hop nested tunnels are established between all network LSP that exits its VBR. Hello messages (and any 

VBRs serving that particular VPN. subsequent session messages) are encapsulated with the base 

FIG. 1. illustrates a possible configuration of an MPLS MPLS label so that they are carried all the way to destination 

network. Those skilled in the art will recognize that other VBR *° Th* LDP hello message is a form of query to 

configurations are possible (i.e. more or fewer LSRs also 25 determine if a VR for the same VPN (a peer) resides at the 

referred to as core routers, more or fewer VBRs, and destination VBR. The VPN ID is carried in the header of the 

different connections therebetween). A service provider or LDP link hello as the <label space id> field. A receiving 
consortium of service providers (the provider) wishing to 10 will only register an LDP hello adjacency if the 

offer IP VPN service first configures one or more MPLS <Iabel space id> is one that it supports (i.e. if it has a VR for 

domains. Each MPLS domain becomes a VPN area. The 30 l "e same VPN ID). 

VPN area consists of VBRs 10 around the edge and core When a hello adjacency is registered, the relevant VR 

LSRs 20, interconnected by links 30. The interfaces to the proceeds to initiate an LDP session with its peer. One of the 

links 30 each have assigned to them an IP address from the two VRs will initiate a TCP connection to the other. ITie IP 

provider's IP address space. In particular a VBR 10 has an source and destination addresses used here are the base 

IP address in the provider's IP address space. This address 35 network IP addresses of the respective VBRs 10. After the 

is not directly visible within any of the IP VPNs that the TCP connection is in place, and the necessary initiation 

VBR 10 will support. messages have been exchanged, then an LDP session 

The provider determined routing regime determines between the peer VRs exists. The LDP session is established 

routes within the MPLS domain and then, as per normal an d the two VRs offer each other a label for a LSP tunnel to 

MPLS operation, Label Distribution Protocol is invoked to 40 i tsel ^- The P eer VR wil1 slore tn is » n a forwarding table as the 

establish implicit LSPs across the MPLS domain which nested label 40 (i.e. the first label to be pushed on the label 

include the intermediate hops required to get from one VBR stack) for the destination VR. This nested label 40 does not 

10 to another VBR 10. FIG. 2 illustrates the label switched include any labels for intermediate hops required to traverse 

path tree terminating on a VBR 10. The full mesh is realized * ne MPLS network. As far as the VRs are concerned, this 
by label switched path trees terminating on all VBRs 10. The 45 tunnel is a single hop to its peer. This label is referred 

result is a full mesh of LSPs between all LSRs 20 and VBRs t0 « I be peer label or nested tunnel label. 
10. (i.e. in each LSR and VBR there is a Forwarding The peer labels may be the only ones that are exchanged 

Equivalence Class (FEC) to next hop label map that has an between VRs, but this is not a requirement. Extra labels may 

entry in it for every other LSR and VBR for the first hop of be exchanged for encapsulating different classes of traffic 

an LSP to that VBR. This defines the base tunnel mesh). 50 destined for different VRs. 

These first hop labels in the FEC map are referred to as base As a result of routing exchanges between peer VRs and 

labels. They will be used as the top of slack labels for all between VRs and private network routers, as appropriate, 

inter VBR traffic. Base labels will be swapped at each LSR each VR will build a forwarding table that relates private 

20 on the path to the destination VBR 10. network address prefixes (forward equivalency classes) to 

After the MPLS network is configured, the provider can 55 next hop. The next hop could be stored as the IP addresses 

configure a VPN. To do so, the provider selects VBRs 10 of the end points the nested LSP runnel to be used, or it could 

from the MPLS domain that will serve the VPN and con- just be the tunnel labels (both levels). As illustrated in FIG. 

figures a Virtual Router (VR) at each one by assigning it a 3, when IP packets arrive whose next hop is a VBR 10, the 

VPN ID. While VRs arc discussed herein, those skilled in forwarding process pushes first the label 40 for the peer VR 

the art will recognize that other routing mechanisms such as 60 (the nested tunnel label). Then the base label 50, for the first 

bridges, switches and the like could be employed without hop of the base network LSP that leads to the VBR 10, is 

departing from the scope of the invention. The provider then pushed onto the packet. The doubly labeled packet is then 

provisions stub links (i.e. links between VRs and one or forwarded to the next LSR in the base network LSP. When 

more routers at each private network (private routers)). Stub the packet arrives at the destination VBR 10 the outermost 

link interfaces are assigned IP addresses from the private 65 label 50 may have changed several times, but the nested 

network's IP address space. If the provider has a globally label 40 has not changed. As the label stack is popped, the 

unique subnet address range, he can reuse it within every IP nested label 40 is used to direct the packet to the correct VR. 
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It will ibus be seen that the invention efficiently attains the 
objects set forth above, among those made apparent from the 
preceding description. In particular, the invention provides a 
virtual private network and methods of configuring the same 
over a MPLS shared network. Those skilled in the art will s 
appreciate that the configuration depicted in FIGS. 1-3 
discloses a shared MPLS network which allows the imple- 
mentation of separate networks over common infrastructure 
while providing security, scalability and performance to 
each network: 10 

It will be understood that changes may be made in the 
above construction and in the foregoing sequences of opera- 
tion without departing from the scope of the invention. It is 
accordingly intended that all matter contained in the above 
description or shown in the accompanying drawings be IS 
interpreted as illustrative rather than in a limiting sense. 

It is also to be understood that the following claims are 
intended to cover all of the generic and specific features of 
the invention as described herein, and all statements of the 
scope of the invention which, as a matter of language, might 20 
be said to fall therebetween. 

Having described the invention, what is claimed as new 
and secured by Letters Patent is: 

1. A virtual private network (VPN) which enables private 
communications over a shared Multi-Protocol Label 25 
Switched (MPLS) network, between at least two private 
networks, comprising: 

a plurality of routers in communication with the shared 
MPLS network and configured to dynamically distrib- 
ute VPN information across the shared MPLS network, 30 
wherein said VPN information distributed by a particu- 
lar one of said plurality of routers includes a VPN 
identifier assigned to said particular one of said plural- 
ity of routers, which identifies a VPN which said 
particular one of said plurality of routers is associated 35 
with; 

a first table, stored in one of said plurality of routers, of 
label switched paths from said one of said plurality of 
routers to a remainder of said plurality of routers; 

a second table, stored in said one of said plurality of 
routers, of nested label switched paths from said one of 
said plurality of routers to a remainder of said plurality 
of routers which share a common VPN identifier. 

2. The virtual private network according to claim 1 further 
comprising: 

a third table, stored in another of said plurality of routers, 
of label switched paths from said another of said 
plurality of routers to all others of said plurality of 
routers; and, 

a fourth table, stored in said another of said plurality of 
routers, of nested label switched paths from said 
another of said plurality of routers to all others of said 
plurality of routers which share a common VPN iden- 
tifier. 

3. The virtual private network according to claim 2 
wherein said second and fourth tables arc formed using a 
Label Distribution Protocol to determine said nested label 
switched paths. 

4. The virtual private network according to claim 2 60 
wherein: 

said one of said plurality of routers and said other of said 
plurality of routers are assigned a common VPN iden- 
tifier; 

said second table includes a nested label switch path from 65 
said one of said plurality of routers to said another of 
said plurality of routers; and 



40 



45 



55 



said fourth table includes a nested label switch path from 
said another of said plurality of routers to said one of 
said plurality of routers. 

5. The virtual private network according to claim 4 further 
comprising at least one core label switched router coupled 
between said one and another of said plurality of routers and 
configured to transport communications between said one 
and another of said plurality of routers. 

6. The virtual private network according to claim 2 further 
comprising: 

another MPLS network in communication with said 
shared MPLS network; 

another plurality of routers in communication with said 
another MPLS network and configured to dynamically 
distribute said VPN information across said another 
MPLS network, wherein said another plurality of rout- 
ers includes said another of said plurality of routers; 

a fifth table, stored in said another of said plurality of 
routers, of label switched paths from said another of 
said plurality of routers to a remainder of said another 
plurality of routers; and, 

a sixth table, stored in said another of said plurality of 
routers, of nested label switched paths from said 
another of said plurality of routers to a remainder of 
said another plurality of routers which share a common 
VPN identifier. 

7. The virtual private network according to claim 6 further 
comprising: 

a seventh table, stored in one of said another plurality of 
routers, of label switched paths from said one of said 
another plurality of routers to all others of said another 
plurality of routers; and, 

an eighth table, stored in said one of said another plurality 
of routers, of nested label switched paths from said one 
of said another plurality of routers to all others of said 
another plurality of routers which share a common 
VPN identifier. 

8. The virtual private network according to claim 7 
wherein said sixth and eighth tables are formed using said 
Label Distribution Protocol to determine said nested label 
switched paths. 

9. The virtual private network according to claim 7 
wherein: 

said one of said plurality of routers includes a first private 
router; and, 

said another of said plurality of routers includes a second 
private router. 

10. The virtual private network according to claim 2 
wherein at least one of said plurality of routers is a virtual 
router. 

11 . A virtual private network (VPN) which enables private 
communications over a shared Multi-Protocol Label 
Switched (MPLS) network, between at least two private 
networks, comprising: 

router means in communication with the shared MPLS 
network for routing VPN information across the shared 
MPLS network, wherein said VPN information 
includes a VPN identifier assigned to said router means, 
which identifies a VPN which said router means is 
associated with; 

a first table, stored in said router means, of all label 
switched paths across the shared MP! S network; and, 

a second table, stored in said router means, of nested label 
switched paths from a portion of said router means 
which is configured to communicate with one of the at 
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leasi two private networks to another portion of said 
router means which is configured to communicate with 
another of the at least two private networks. 

12. The virtual private network according to claim 11 
further comprising: 5 

a third table, stored in said router means, of all label 
switched paths across the shared MPLS network; and 

a fourth table, stored in said router means, of nested label 
switched paths from said another portion of said router 
means to said portion of said router means. 30 

13. The virtual private network according to claim 12 
wherein said second and fourth tables are formed using a 
Label Distribution Protocol to determine said nested label 
switched paths. 

14. The virtual private network according to claim 12 
wherein said router means comprises: s "' 

a first router, a second router and at least one core label 
switched router in communication with said first and 
second routers and configured to transport communi- 
cations therebetween. 

15. The virtual private network according to claim 14 20 
further comprising: 

another MPLS network in communication with said 
shared MPLS network; 

second router means in communication with said another 
MPLS network for distributing said VPN information 25 
across said another MPLS network, wherein said sec- 
ond router means includes said second router and a 
third router; 

a fifth table, stored in said second router, of all label 
switched paths across said another MPLS network; 30 
and, 

a sixth table, stored in said second router of nested label 
switched paths from said second router to said third 
. router. 

16. The virtual private network according to claim 15 35 
further comprising: 

a seventh table, stored in said third router, of all label 

switched paths from said third router across said 

another MPLS network; 
an eighth table, stored in said third router, of nested label 

switched paths from said third router to said second 

router. 

17. The virtual private network according to claim 16 
wherein said sixth and eighth tables are formed using a 
Label Distribution Protocol to determine said nested label 
switched paths. 

18. The virtual private network according to claim 11 
wherein said router means includes at least one virtual 
router. 

19. A method of configuring virtual private networks over 
a shared MPLS network comprising: 

configuring a shared MPLS network including at least two 
routers in communication therewith; 

determining first information about all label switched 55 
paths between a first of said at least two routers and all 
others of said at least two routers, wherein said all 
others of said at least two routers includes a second 
router; 

storing said first information in said first router; 60 
assigning a common VPN identifier to said first and 

second routers; 
determining second information about all label switched 
paths between said second router and all remaining of 
said at least two routers, wherein said first router is a 65 
member of said all remaining of said at least two 
routers; 
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storing said second information in said second router; 

determining third information about all nested label 
switched paths between said first router and all others 
of said at least two routers which are assigned said 
common VPN identifier; 

storing said third information in said first router; 

determining fourth information about all nested label 
switched paths between said second router and all 
remaining of said at least two routers which are 
assigned said common VPN identifier; 

storing said fourth information in said second router. 

20. 1 ne method of configuring virtual private networks 
according to claim 19 wherein said determining said third 
and fourth information is performed using a Label Distri- 
bution Protocol. 

21. The method of configuring virtual private networks 
according to claim 19 further comprising: 

partitioning said MPLS network into a plurality of net- 
work areas; 

wherein said at least two routers are in communication 
with one of said areas; 

wherein a plurality of routers are in communication with 
another of said plurality of network areas; 

wherein at least two of said network areas are in com- 
munication through said second router; 

determining fifth information about all label switched 
paths between said second router and all others of said 
plurality of routers, wherein said all others of said 
plurality of routers includes a third router; 

storing said fifth information in said second router; 

assigning said common VPN identifier to said third 
router; 

determining sixth information about all nested label 
switched paths between said second router and all 
others of said plurality of routers which are assigned 
said common VPN identifier; 

storing said sixth information in said second router; 

communicating said sixth information from said second 
router to said first router; 

storing said sixth information in said first router. 

22. The method of configuring virtual private networks 
according to claim 21 further comprising: 

determining seventh information about all label switched 
paths between said third router and all remaining of 
said plurality of routers, wherein said all others of said 
plurality of routers includes said second router; 

storing said seventh information in said third router; 

determining eighth information about all nested label 
switched paths between said third router and all 
remaining of said plurality of routers which are 
assigned said common VPN identifier; 

storing said eighth information in said third router. 

23. The method of configuring virtual private networks 
according to claim 22 wherein said determining said sixth 
and eighth information is performed using a Label Distri- 
bution Protocol. 

24. Ine method of configuring virtual private networks in 
accordance with claim 22 further comprising: 

creating a link between a first private network router and 

said first router; 
creating a link between a second private network router 

and said third router; 
transmitting an IP packet from said first private network 

router to said second private network router including: 
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transmitting said IP packet from said first private net- 
work router to said first router across said link 
therebetween; 

said first router pushing a label from said third infor- 
mation onto said IP packet when said first router 5 
receives said IP packet; 

after pushing a label from said second information onto 
said IP packet, pushing a label from said first infor- 
mation onto said IP packet; and forwarding said 
labeled IP packet to said second router; 10 

said second router replacing said label from said second 
information with a label from said sixth information; 
and, 

forwarding said IP packet towards said third router. 
25. The method of configuring virtual private networks in J5 
accordance with claim 24 further comprising: 

at least one core label switched router coupled between 
said first and second routers which replaces said label 
from said second information with a different label; 
and, 20 

wherein the second router replaces the different label with 
said label from said sixth information. 



26. The method of configuring virtual private networks in 
accordance with claim 19 further comprising: 
creating a link between a first private network router and 

said first router; 
creating a link between a second private network router 

and said second router; 
transmitting an IP packet from said first private network 
router to said second private network router including: 
transmitting said IP packet from said first private net- 
work router to said first router across said link 
therebetween; 
said first router pushing a label from said third infor- 
mation onto said IP packet when said first router 
receives said IP packet; 
after pushing a label from said third information onto 
said IP packet, pushing a label from said first infor- 
mation onto said IP packet; and forwarding said 
labeled IP packet. 
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